Settings
      Back to home
      1. Collaboard Help Center
      2. Administration
      3. Settings

      Login providers - SSO setup

      Learn how to set up SSO for your organization and how to manage your login providers.

      General

      With login providers you can create, review, configure your SSO login. You can also add a username/ password login or remove it.

      Available to Advanced and Enterprise plans. Accessible for owners and managers.

      You will get a tenant associated to your subscription when you have your own login provider. 

      Find out what having a tenant means.

      Not sure, if you are already know enough to get started? Check out which SSO providers and scope we support here.

      You have an on premise installation? Please start the set up here and return to this page when prompted to.

      Create and configure your login providers

      Login to your Collaboard account.
      Navigate to Settings and Login providers.

      Create a new login provider or import a configuration. If you have an existing login provider for your tenant it will show in the list. You can edit that provider anytime.

      If you have opted for synced user provisioning via SCIM, registration can be disabled for your login providers to make sure only synced users are registered Collaboard users like this:

      Create a new SSO provider with import/export configuration

      Process overview

      1. Import your SSO configuration.
      2. Add Collaboard default SSO parameters (see below).
      3. Export SSO configuration and import at your IdP. Done.

      We recommend to use the import/ export features. Alternatively, you may of course enter all data manually. To follow the manual route start with Create login provider.

      1. Following the import/export route select Import.
      2. Select your provider and copy-paste your SSO configuration from XML or JSON.
      3. Enter a name. The name will show on the login button. If you name your MS login Login with Microsoft it will show like this:

      4. Use the Collaboard default SSO parameters to complete the SSO data.
      5. Scroll down in the form and configure other available settings, like 2FA.
      6. Save your configuration.
      7. Export your configuration to import it at your IdP to complete the SSO setup. Click the three dot menu and select Export configuration:

      Collaboard default SSO parameters

        OAuth parameters

        Parameter WEB CH DE
        Provider Client ID unique identifier, e.g. web.collaobard.app unique identifier, e.g. ch.collaobard.app unique identifier, e.g. de.collaobard.app
        Redirect URI https://api.collaboard.app/auth/oauth2/externallogincallback/oauth https://ch-api.collaboard.app/auth/oauth2/externallogincallback/oauth https://de.collaboard.app/server/auth/oauth2/externallogincallback/oauth
        Scope openid email profile openid email profile openid email profile


        SAML parameters

        Parameter WEB CH DE
        Provider Client ID  unique identifier, e.g. web.collaobard.app  unique identifier, e.g. ch.collaobard.app  unique identifier, e.g. de.collaobard.app
        Redirect URI https://api.collaboard.app/auth/oauth2/externallogincallback/saml https://ch-api.collaboard.app/auth/oauth2/externallogincallback/saml https://de.collaboard.app/server/auth/oauth2/externallogincallback/saml
        Scope n/a n/a n/a
        • Enable TFA: if true, your users will be prompted to enter an OTP code which they will receive via email as a second factor for authentication.
        • Auto-accept ToS: if true, you will accept the ToS on behalf your users. As such, they will not need to accept the ToS when they register.
        • Disable registration: if true, the login provider is not available for registration.
          CAVEAT: if there is no SCIM sync in place, you NEED to have one login provider that allows for registration. With SCIM you can safely disable registration for all your login providers to only have SCIM-synced users registered in Collaboard.
        • Advanced settings. Only needed if you want to customize your SSO set up. Please contact our support.
          • Extra properties: needed, if you want to add encryption or else to your SSO. By default we support signing.
          • Claim mapping: if empty, the default mapping will be used. If a customized mapping is needed, it may be configured here.
          • Readonly fields: claims that are not updated, but kept at a static value.

        Username/ password

        Username/ password provider may prove useful, if SSO fails for any reason or the setup is delayed. It will provide an instant means to get your users logged in. You can create/ remove it anytime.

        • Create a new provider and select UsernamePassword from the Provider drop down menu.
        • Choose a name
        • Enable TFA: Your users will be prompted to enter an OTP code which they will receive via email as a second factor for authentication.
        • Auto-accept ToS: if true, you will accept the ToS for your users. As such, they will not need to accept the ToS when they register.
        • Disable registration: if true, the login provider is not available for registration.
          CAVEAT: if there is no SCIM sync in place, you NEED to have one login provider that allows for registration. With SCIM you can safely disable registration for all your login providers to only have SCIM-synced users registered in Collaboard.
        • You do not need the Advanced settings for Username/ password.

        Tenants

        We set up and configure your tenant. This is part of the onboarding process.

        If you have opted-in for SSO, we will also configure a tenant for your subscription.

        During the onboarding process we will ask the following:

        Question Explanation/ Example
        Which domains would you like to associate with your tenant?

        @mycompany.de, @abc.com, ...

        Associated domains will automatically be redirected to the tenant page and CANNOT sign in/ up on the default login page.
        Do you want to blacklist these domains on all other Collaboard environments? Sign in/ up with a blacklisted domain is forbidden on the respective environments.
        Would you want to add all users automatically to your subscription? If true, all users that sign up via the tenant page will belong to your subscription. There won't be any free user accounts.

        Do you need synced user provisioning?

        If yes, do you want to disable registration for your login providers?

        We support SCIM.

        If disabled, users can ONLY be registered via the SCIM sync.
        Do you need a specific Email message provider? We support different providers to meet your IT security requirements.

        What do I do with a tenant?

        • You will have a specific tenant page, like web.collaboard.app/authenticate/company that you can bookmark and share in your onboarding documentation.
          • The tenant page will only show the configured login provider.
          • Automatic redirect to the tenant page for
            • users with domains that are associated to the tenant. Users with such a domain CANNOT sign in/ up on the default login page, thus making sure they will belong to your tenant and see the correct login provider (your SSO login).
            • all users belonging to the tenant
        • Blacklisting on other Collaboard environments, if requested. Users trying to register on an environment with a blacklisted domain will be rejected and asked to contact their IT Admin.
        • You need a tenant for free and guest user branding and to make organization templates and custom fonts available to your free users.

        Should you experience any issues with the login page, the guest and free user branding or similar, please reach out to our support team